WordPress Security

Here’s a little WordPress security tip that will protect your WordPress site even if the administration area is breeched. This will also prevent the administrator from hacking the code in the theme or any of the plugins, this is something you wouldn’t want them to do for various reasons but mainly because, from a development perspective, you could be creating work for yourself that is otherwise unnecessary – why is that? I hear you ask!

Well consider this, if your administrator has access to edit the theme files or plugin files with a fair amount of knowledge whether its editing the CSS, HTML or the PHP and say this goes on for months with poor practices, perhaps the CSS isn’t crossbrowser compatible, the HTML markup isn’t semantic or the PHP has no error handling! Can you imagine the hours of work involved correcting any cross browser compatibility issues or pin pointing a PHP bug as a result of a missing variable or screw up for each loop!

Regardless of the hours of work involved there is always the dreaded “white screen of death”! You’ve got to be some kind of hybrid zen maverick genius to be editing files live on the server or just a complete numpty! “Yo Joe, if you break something in production that’s the site down muppet!” is just one of the phrases I like to use. So from a development point of view questions I’d be asking is “when did it happen, what has changed recently, did you change anything just before this happened, hmm was it live on the server?”

Of course there is the issue of getting hacked! There are nasty people out there in cyberspace who don’t need to be that smart to figure out your username, though the password could be a little more trickery to guess but that’s a different blog post, lets just say they have ways and means. So, say they do get in and start injecting your js files or adding PHP scripts and create havoc with your website.Oh lordy more hours down the drain!

Anyway to prevent all this heart ache and needless hours of work there is a simple solution, disable editing of plugins and themes in the backend. There is probably a plugin for this but why would you want to install a plugin that the administrator could disable and therefore open up all that heart ache again! Do it in the wp-config.php file by adding this line

[php]define(‘DISALLOW_FILE_EDIT’,true);[/php]

Open up your favourite ftp editor, browse to the wp-config.php file on your server, duplicate it and prefix it with “backup_” eg: backup_wp-config.php then copy it to your local environment and remove the one you justs renamed on the server ie: delete backup_wp-config.php.

This way you have a backup of your original file on your local machine if anything goes wrong. Now open the wp-config.php file and look for the line that says:

[html]/* That’s all, stop editing! Happy blogging. */[/html]

And paste this line above it:

[php]define(‘DISALLOW_FILE_EDIT’,true);[/php]

Now save the file back to the server. Now rather than just hiding the menus which is what some functions will do but the menus will still remain accessible, what this does is to remove theme editing and plugin editing in the backend all together and they can not be accessed! Sweet huh!

Before:

After:

Check your site is still working from the frontend, login to the backend and see if you can edit themes or plugins, if everything went smoothly then all’s sweet and you shouldn’t be able to see any editing options! If anything goes wrong just remove the wp-config.php file on the server, copy the backup_wp-config.php file back to the server and remove the “backup_” prefix then everything should be as it was before and try again. If anything goes wrong or you have any questions feel free to leave a comment I’d be happy to answer any questions.